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What is proof? 


A rigorous mathematical argument which unequivocally 
demonstrates the truth of a given proposition. A mathematical 
statement that has been proven is called a theorem. 


Any theorem, no matter how difficult to 
prove in the first place, is viewed as 
trivial by mathematicians once it has 

been proven. Therefore, there are 
exactly two types of mathematical 
objects: trivial ones, and those which 
have not yet been proven. 


How do we prove? 


A mathematician is a 
machine for converting 
coffee* into theorems 


* - weak coffee is suitable only for lemmas 


How we prove? 


| know how to prove 
Fermat’s last theorem 
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What Fermat learns? 


e His theorem was true 
e Proof of the theorem 


e He could later convince 
other folks that he 
invented the proof! 


Could Andrew convince 
Pierre that he knows the 


proof without revealing it? 
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A few definitions from 
complexity theory 


In cryptography all times are given regarding the security parameter n, 


usually nz 128 


Languages and statements 


OR, = {x | x is quadratic residure mod N} 


There exists machine M such that for all x € QR, 
M says ACCEPT 


GI; = {H | H is isomorphic to G} 


There exists machine M such that for all x € GI. 
M says ACCEPT 


GI, = {H | H is not isomorphic to G} 


There exists machine M such that for all x € GI. 
M says ACCEPT 


MAT = {x | x is a valid mathematical theorem} 


P and NP 


Language £ belongs to class NP if there exists machine 
M that for all x € £ there exists w (of length poly(|x]|)) 
and M(x,w) = 1 in polynomial time 


Language £ belongs to class BPP if there exists 
probabilistic machine M such that 


e Vx EL, Pry [M (x) = 1] >< 


3 
vx €L,Prp[M(x) = 1] < - 


NP-problems 


Exemplary NP problems 


Problem is in NP if we can efficiently verify its solutions 


Factorization of integers: 


No general factorization 
algorithm 

Given factorization we can 
check 


Graph Isomorphism 


Hard to tell whether two graphs 
are isomorphic 

Given the isomorphism itself 
we can check 


Factorize: 71 850 192 453 (hard) 
Check that: 

71850192453 = 47*39*23*141*237*3*17 
(easy) 


NP-elass 


All problems in P are in NP 
NP-Hard 


NP-Complete 


NP-hard problems: 
Problems at least as hard as any 
problems in class NP 


NP-complete problems: 

f we can solve one of them, we can 

Ä solve all problems in NP 

F (all NP problems can be reduced to 
P + NP an NP-complete problem) 


Complexity 


If we could proof that an NP-complete problem can be 
proven in zero knowledge, then all NP problems can be 
solved in zero knowledge! 
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Interactive proof 


Prover P Verifier V 


X, Prover interacts with Verifier x 
convincing him that the 


proposition is true 


a1 
TS 


py 


An 
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ACCEPTxEL 
REUECT Xx EIL 


Interactive proof 


Prover P Verifier V 


| Know that x € £ SO 
want Pierre to accept my 
proof 


Is it possible that | 
accept a proof but x ¢ £? 


Interactive proof 


Definition: An interactive proof system for 
membership in £ is a pair of algorithms (, V/) such that 
Vx: 


COMPLETENESS: 
If x € £, then Pr [(P(w),V)(x) = ACCEPT] > - 


SOUNDNESS: 
If x ¢ £, then Pr [(P*,V)(x) = ACCEPT] S - 


Probabilistic nature of the proof 
n 
It need to be repeated n times to get soundness around (2) 


f P* is very lucky he can convince V to accept x ¢ £ 


Color blindness 


What can we prove 
interactively? 


Class of problems provable 
interactively: IP 


NP-Hard 


NP-Complete 


P-space: problems that can 
be solved in polynomial 
memory (don't care about the time!) 


NP c P-space 


IP c P-space 


Boolean satisfiability 
SAT = {¢ | d is satisfiable boolean formula} 
SAT = {d(w,, .., n) | Iw E {0,1}", d(w) = 1} 


P y 


p E€ SAT pw) =" 1 


COMPLETE? - YES since V accepts if @ € SAT 


Quadratic residuosity 


QRy = {x |x is quadratic residure mod N} 


P V 


X SO =' x mod N? 


w:w? =x 


V might not be able to find w on his own! 


Interactive 


proofs 


~ | “세 


Zero- 
knowledge (the rest) 
proofs 


j Non- 
Interactive 


Zero 
knowledge ZKP D 


How to make V learn 
nothing Random Common 


Reference 
Oracle 


SNARKs 
String 


Zero-knowledge proof 


Prover P Verifier V 


| want Pierre to believe z 
me without showing w 


How to define zero knowledge? 


e V didn't learn w 

e V didn't learn any symbol of w 

e V didn't learn any information about w 
e V didn't learn anything except x € £ 


If V can compute something he couldn’t computed before 


Zero knowledge: whatever is computed following interaction 
could been computed without it 


Zero knowledge 


Zero knowledge: 


if for all x 6 £ V’s view can be efficiently simulated 


What does it mean? 

Intuitively: 

Vis given information that x E€ £ 

e Modulo this, it could talked to itself 

Technically 

(view) = V(simulation) 

e Whatever V could compute, he could compute even without 
talking with P 


V does not need P 


p 


mı 


V does not need P 


* 
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Zero Knowledge 


V’s view can be simulated in polynomial time 


An interactive proof (P, V) for £ is zero-knowledge if 
VV there exists PPT S such that Vx € £ 
S (x) = OC, V 
Pr [SY (x) = Da, mells Pr [(P, V) C) = (mz, MN) 


Simulator can be probabilistic (probabilistic polynomial time) 


S has black-box access to V if 
It observers its inputs / outputs only (usually) 


Zero Knowledge 


An interactive proof (P, V) for £ is zero-knowledge if 
VV there exists PPT S such that Vx € £ 
S (x) = (P,V)(x) 


It is only required simulator 
to exists! 
no more, but no less 


only (usually) 


Indistinguishability 
SY (x) = (P,V)(x) 


SD(S(x), (P,V)(x)) = 0 perfect ZK 


SD (S(x), (P,V) (x)) = negl(k) statistical ZK 


Function negl is negligible if for every polynomial poly 
there exists ko, such that for k > ko: negl(k) < 
(e.g. 2 ^) 


poly(k) 


Different flavours of ZK 


Interactive vs Non-interactive 
argument 


Quadratic residuosity again 


QRy = {x |x is quadratic residure mod N} 


P V 


ve QR =' x mod N? 


Why it is not zero-knowledge? 

1. For all x E QRy, S(x)? = x mod N 

2. For all x € OR, SH + x mod N 

3. Since QR € BPP then 3x € QRy: S(x)? + 
x mod N 


Quadratic residuosity - zk proof 


ㅁ 


QRy = {x | x is quadratic residure mod N} V 


r Ep ZN 


X, x 
w? =xmodN 
b Ep {0,1} 
20 =" y 
2.72 
Zi ZEN 


Why it is complete? 


Quadratic residuosity - soundness 


Soundness: 
x S QR iff 
dy,y E OR and xy E QRy 


If Pr[(P*,V) = 1] > - 
then both zê = and z? = xy 


Quadratic residuosity - 
perfect zero-knowledge 


The simulation: 
1. Sample Z Ep Zn 
. Sample b Ep {0,1} 


2 
3. Sety = 5 
4. Output (y, b, 2) 


Quadratic residuosity - 
perfect honest verifier zero-knowledge 


The simulation: 
ample 2 


2. Sample h er {0,1} 


3. Sety = b 
4. Output (y, b, 2) 


Quadratic residuosity - 


perfect honest verifier zero-knowledge 


Se simulation: 
ample URS 


2. Sample 2 er {0,1} 


3. Sety = wi 
4. Output (y, b, 2) 


Quadratic residuosity - 
perfect zero-knowledge 


The simulation: 
1. Sample Z Ep Zn 
2. Sample b Ep {0,1} 


22 
Set y = SS? 
If V*(y) = b output (y,b,z), 
else repeat 


Exp. number of iterations: 2 


Cheating prover 


If | guess b 
correctly | can pick 
y and z to 
convince V 


P* can cheat V with 
probability 5 


Amplifying soundness 


V 


Sequential composition 


ACCEPT if all repetitions accept 
n iterations gives soundness < 1/2” 


Amplifying soundness 

Parallel composition 
ACCEPT if all 
repetitions accept 


n iterations gives 
soundness < 1/2” 


Impossible in a black-box model 


Possible with some relaxations 


Auxiliary input 


ZK proof for 6/0 


GI. = {H | His isomorphic to G} 


Pick permutation o and 
P compute F = (6) 
— 
u O 
f:f(G)=H 


b = 0: SHOW F S 6 


//, = 1: show F =H 


—ñä 


The protocol is zero-knowledge (food for thought) 


Fact: Let G = (V, E) and V public 
Then f(G) is a random element of set of all graphs isomorphic to 6 


ZK proof for GI 


GI, = {H | H is not isomorphic to G} 


P Take (G, H) and randomly relabel it in a 
random order (FI, F2) 
G,H E Glg 
(can show it for 
any relabeling of 


Decide which FI, F is isomorphic to G 


G and H) — 


The protocol is not zero-knowledge if we allow / to take some 
auxiliary input 


| may use P to learn whether any Of FI, F> is isomorphic with G 


ZK proof for G] 


GI, = {H | H is not isomorphic to G} 


Take (G,H) and randomly relabel it in a 


P random order (Fo, F1) 


G,H E Glg Show in ZK that (G, H) = (F, F2) 
(can show it for p  : 


any relabeling of 


G and H) Decide which Fo, F4 is isomorphic to G 


— ͥ 


Soundness (intuition) 
P* can cheat V with probability 
(random guess) 


Zero knowledge (intuition) 
P only shows which F. isomorphic 
to G. This is already known to V 


ZK proof for GI Gle = {H | H £ G} 


Take (G, H) random permutation Pick permutation 0, and compute 
ol and compute (Fo, Fi) (Eo By) = aG H) 


b = 0: show (Eo, EI) = (G, H) 
b = 1: show (Eo, EI) = (Fo, FI) 


Zero knowledge 
1. Simulator S picks randomly bit b 
e If h = O: 5 learns permutation 0 
e Ifb= 1, S learns permutation ø oo’ 
2. Simulator S rewinds the verifier and pick b again 
3. When picked bits are different, S learns both o and , thus can 
compute o’ and decide which Fo, Fi is isomorphic to G 


Auxiliary input 


DEFINITION: Interactive proof (P, V) is zero-knowledge wrt 
auxiliary input if for every PPT V* Vx EL, Vz 


ST (x, z) = (P,V(z))(x) 


ㆍ Catches context in which the protocol is executed 
e Useful if V may have some a’priori information about w 


Simulator also gets the auxiliary input 


Crucial for composition 


Auxiliary input and composition 


P P Vi (x, 2) * 
poly(k) P 
repetitions 


— 


da 


Se 


Auxiliary input and composition 


2 


poly(k) 
repetitions 


P 


P 


BI: OOU DL 


Vi (x, Z) * 


V> (x, Z, 21) 


22 


| 7A (ae ee) 


Zn 


Auxiliary input and composition 


— 
P san ven Mi 
— Zi 
— 
SY (X, z, zi) 17% Zz, 21) 
- 2. 


U 
Zn 


SV (x, Z, Z4, , Zn—1) — 
— 


DEFINITION: Interactive proof (P, V) is zero-knowledge wrt 
auxiliary input if for every PPT V* Vx SL, vz 


SV (x, z) & (P,V(z))(x) 


SAT and perfect ZK 


SAT = {0 is satisfiable boolean formula} 
SAT = {d(w,, ...,Wn) | dw S {0,1}", d(w) = 1} 


lf there is PZK for SAT, then polynomial 
hierarchy collapses 


Possible relaxation: 
statistical / computational ZK computational soundness 


If there is SZK for SAT, then polynomial hierarchy 
collapses 


Different flavours of ZK 


Interactive vs Non-interactive 


argument 


Computational ZK 


Computational ZK 
VPPT V*APPT S Vx € LYZ 


S(%,Z) =. O, V* (z2) (x) 


X and Y are computationally e-close if for every 
PPT algorithm D 
PrID (N) = 1] — Pr[D(Y) = 1]| < 6 


Computational ZK 


PZK C SZK C CZK 


THEOREM: Suppose one-way functions exist, then 


NP C CZK 


Commitment 
schemes 


Coin-flipping over phone 


Let's make a lottery over 
phone. We will flip a coin. | 
win at heads, you win at tails 


Andrew picks bit bọ, Pierre picks bit hi and the result is bọ + Hi mod 2 
head = O, tails = 1 


Security 


Goal: 
Have a protocol 7 that ends in bit b that is uniformly distributed over {0, 1} 


Andrew: Even if Pierre is Pierre: Even if Andrew is 
cheating, z will produce an cheating, 7 will produce an 
uniform output uniform output 


Security 


Goal: 
Have a protocol z that ends in bit b that is uniformly distributed over {0, 1} 


Who sends the bit first loses? 


Committer cannot change the content after it was sent 


Receiver cannot check the content before they get the key 


Commitment scheme 


BINDING 


Committer cannot change the content after it was sent 


HIDING 


Commitment scheme 
di Commit 
C c = Com(m,r) 12 D 


Reveal 
(m,r) = Dec(c) 

Receiver given commitment c and its opening m’, r' checks 

whether Com(m’,r’) =c 


Perfectly-hiding commitment 
schemes 


Perfectly hiding commitment scheme (Com, Dec) is 
e Perfectly hiding vm}, m; 
Pr [Com(m,,7r) = 이 = Pr[ Com(m,r) = = 의 
° Computationally binding VPPTC* Vm, # ma 
Pr|C* wins the binding game] < negl(n) 


Binding game: 
C* wins the binding game if it generates c, mi, n, ma, T> 
such that 
c = Com( miu) = Com(m,,r,) for mi * mz 


Pedersen commitment scheme 


Discrete logarithm problem: 
Let G be a finite group and g a generator of a subgroup in G, we say A 
solves discrete logarithm problem if A(G, g,g*) =x 


Discrete logarithm assumption 
Let g be a generator of a subgroup of Z,, then discrete logarithm is hard 


Pedersen commitment 
Let g,h = g* be Z, elements such that no one knows x 


Com(m,r) = g™h" 


Pedersen commitment- binding 


Pedersen commitment 
Let g,h = g* be Z% elements such that no one knows x then 
Com(m,r) = g 


Computational binding: 
Assume A could open c to 2 different (m,r) and (m', r^) then 
g'n = gana 


Pedersen commitment- hiding 


Pedersen commitment 
Let g,h = g* be Z% elements such that no one knows x then 
Com(m,r) = g 


Perfect hiding: 
Assume A given c can hides m or m’, but for all m,r, m’ there 
is r' such that 

Com(m,r) = c = Com(m',r') 


Statistically-binding 
commitment schemes 


Statistically binding commitment scheme (Com, Dec) is 
Computational hiding VPPT R* Vm, ma 
Com(m,) =. Com(ma) 
Statistical binding VC* Vm, ma 
Pr[C* wins the binding game] < negl(n) 


Binding game: 
C* wins the binding game if it generates c, mi, n, ma, T> 
such that 
c = Com( mii) = Com(m,,r,) for mi * mz 


Statistically binding 
commitment schemes 


Given random input of length n outputs 
pseudorandom output of length 3n 
PRG: {0,1}" > {0,17 : 


pseudorandom = no efficient machine 
can tell it from a random string 


C Selects a random X E {0,1}3” D 


Selects a random Z e {0,1}” 
If b = 0 sends Y = PRG(Z) ® X Check 


Y = PRG(Z),b<1 
Open commitment, send Y 


Note: each public key cryptosystem is perfectly binding, comp. hiding commitment 


Statistical binding 


Proof intuitions 


To be able to cheat committer has to find Z and 
such that 

PRC (Z) ® X =Y = PRG(Z’) 
Thus PRG(Z) @ PRG(Z') = X 


How many X’s has property that there exist Z and Z’ 
that PRG(Z) O PRG(Z') = X? 
By counting argument, at most (2”)* = 22” 
There the probability that random X € {0,1}°" has this 
property is 

22N 


— = 2” (negligible) 


23N 


Perfectly binding and perfectly 
hiding commitment? 


Impossible & 


Perfectly hiding: 

For each m, m’ they are r,r’ such that 
Com(m,r) = Com(m’,r') 

Otherwise adversary could find m by exhaustive search 
over all possible m and r and break hiding 


Perfectly binding: 
For each m, m' and all r,r’ 
Com(m,r) + Com(m’',r’) 
Otherwise adversary could find m, m’ by exhaustive search 
over all possible m, m' and r,r’ and break binding 


NP C CZK 


NP-complete problems 


NP-Hard 
Recall 
f we can solve at least 
one problem from that 
is NP-complete we can 
solve all of NP 
problems 


NP-Complete 


Complexity 


Graph Hamiltonicity 


HAM = {G |G has a Hamiltonian cycle} 
Hamiltonian cycle — a cycle that visit each node exactly once 


Finding a Hamiltonian cycle in a graph is NP-complete 
(i.e. is at least as hard as any other problem in the NP class) 


INPUT. OUTPUT 


Graph Hamiltonicity 
HAM = {G |G has a Hamilton cycle} 


Finding a Hamilton cycle in a graph is NP-complete 
(i.e. is at least as hard as any other problem in the NP class) 


Every £ € NP is poly-time reducible to HAM 
J poly-time computable function f such that for all x 
xEL f(x) S HAM 


To prove £ S CZK sufficient to show HAM S CZK 


P — =H gg V 
g(w) for f(x) § F W §W̃Wẽ/W—W o f(x) 
HAM f S HAM 


Adjacency matrix 


ZK proof for HAM 


G = (V,E) — Hamiltonian 
ES Sen V 
w — Hamiltonian path in G Hamiltonian graph 


Com(G’) 


Pick permutation & 
and compute 


6 = $(G) 


Pick random bit b 
Commit to each 


entry of the 


adjacency matrix. b=0: reveal Ham. path in G’ 
b=1: open all commitments, 


reveal ꝙ 


b = 0 = reveal cycle 


c = Com(¢(G)) u € Dec(c) 


Decommitment is valid 
u is a Hamiltonian cycle 


b = 1 = reveal permutation 


p(1) = 6 
90e = 3 
o(3) =4 
0(4) = 2 
o(5)=5 
606) = 1 


Decommitment is valid 
dh is a permutation 


HAM soundness 


If Erl“, V) accepts G| > - then both 
uu is a Hamiltonian cycle in G’ 


ㆍ G'=9(6) 


@ 、(11) is a Hamiltonian cycle in G 


HAM zero-knowledge 


Simulator SY (G) 


1. Sample b e {0,1} 
f h = 0 pick randomly a graph G’ with a 
Hamiltonian cycle u, 
e |fb = 1 pick a random permutation ꝙ and 
compute G’ = 6) 
e Compute c=Com(G’) and send it to V* 
2. If V*(c) =b 
e b= 0: output (c, h, u) 
e b= 1: output (c, b, (¢,G’)) 
3. Else repeat 


Importance of commitment 


Since Com is computationally hiding then SY“ runs in 
polynomial time 


Since Com is hiding and V* is PPT 
pr [V*(Com(G'(b)) = b| = 1/2 
Otherwise | V* can distinguish Com(G’(0)) and Com(G’(1)) 


Since Com is statistically binding then no P* can open 
the commitment in two ways 


Different flavours of ZK 


Interactive vs Non-interactive 


argument 


Amplifying soundness 


: == Parallel composition 
ACCEPT if all 

— — Ne — repetitions accept 

— — — n iterations gives 


soundness < 1/2” 


S has to rewind all blocks at 
How to simulate? the same time 
E[time(S)] = 2*time(V*) 


Idea: Use commitments to get around the impossibility 
result 


Parallel HAM 


— U 


Com(G') Com(G,G') 


> EH 


b=0: reveal Ham. path in G’ b=0: reveal Ham. path in G’ 
b=1: open all commitments, b=1: open all commitments, 


reveal & reveal & 
ay, EEE ˙ ͥumwT 


HVZK parallel HAM 


— ° Rewind V to time d is 
known 
Com(G, 6“) e V cannot change their 
— O commitment 


Only argument 
Com has to be stat. 
binding, thus can be only 
comp. hiding 


b=0: reveal Ham. path in G’ 
b=1: open all commitments, 
reveal ꝙ 


Different flavours of ZK 


Interactive vs Non-interactive 


Statist, ` 


argument 


ZK applications 


Schnorr identification scheme 


k Er Zp, Send I = g“ 


Knows w such ACCEPT iff 55 SCH x 
thatx = g“ 


Note: For cyclic G for all x there is w stx = g” 
Thus the language is trivial 
However Andrew shows here that he knows w 


Not Zero-Knowledge 


honest verifier zero-knowledge 


Special soundness: 
Given two conversations (I,r,s) and (I,r’,s’) such that r + 
one can extract witness w 


Proof: 
zg” = rw +k,s'=r'w+k 
gx" — I = EE 


s—sr _ yor tr Remember: the 
대 ; language is 
GES UNE) E x trivial 


ss rr known! 
w=(s - s’)/(r =r’) 


Proofs vs Proofs of Knowledge 


Proof of Knowledge: 


Proof: Prover shows x € £ and 
Prover shows x € £ he knows a witness w 
for that 


What does it mean to know? 
e Informally: We can make P output w 
ㆍ More formally: There exists machine E called 
extractor that can output w after interacting with P 


Extractor works like a simulator but 
doesn’t interact with V but with P 


How many rounds? 


4-round protocols for NP exist 


f for language L exists a ZK protocol with 3 
rounds and negligible soundess then L is trivial 
(LS BPP) 


Non-interactive, 1-round protocol impossible 


We will show them during the next lecture 


Thank you! 


